If you want to establish an Internet connection (that is: IPv6 and IPv4) right away from your firewall through xDSL connections, you need quite some technologies: PPPoE and PPPoEv6 (PPP IPV6CP) along with DHCPv6-PD. Fortunately, with PAN-OS 11.0 and 11.1, those missing IPv6 links were finally added by PANW to their Strata firewalls. (I have been awaiting them since 2015!)
So, here it is: Connecting a Palo through an xDSL modem to a residential ISP:
I’m using a PA-440 with PAN-OS 11.2.4-h2, connected through a DrayTek Vigor167 modem to the German ISP “Deutsche Telekom” on ethernet1/2. No VLAN config is needed since the DSL modem already encapsulates the traffic within VLAN 7 on the ISP side.
Side note: Unfortunately, we don’t have static IP addresses or static IPv6 subnets on most German residential ISPs. Hence, after every DSL reconnect or firewall reboot, we’ll get new public IPv4/IPv6 addresses along with a new IPv6 prefix. �
PPPoE for legacy IP
Quite straightforward: Layer 3 interface of type PPPoE, adding username & password:
PPPoEv6 & DHCPv6-PD for IPv6
A few more options and submenus regarding IPv6. In addition, note the quite good documentation from Palo Alto Networks itself.
Type PPPoEv6 Client, enable, and “Apply IPv4 Parameters” since the same login should be used
followed by the address assignment that “Accept Router Advertised Route” along with the Autoconfig enabled, since, in my case, the firewall gets its WAN IPv6 address through a Router Advertisement (SLAAC) from the ISP’s router rather than through stateful DHCPv6
still at the address assignment: enabling DHCPv6 but only with the Prefix Delegation options, giving the pool a name, in my case: DTAG. Note that the DHCP prefix length is just a hint and probably not honored by the ISP
and finally, the DNS support, at least for the DNS resolver while the search list remains useless from the ISP
For IPv4 client networks, you can now add (sub-)interfaces with RFC 1918 addresses together with an SNAT rule using the WAN interface. For IPv6 downstream interfaces, you have to configure “Inherited” networks that are using a /64 prefix out of the proposed one from your ISP, such as shown here. No NAT is needed. ✅
Commit ;)
Client Runtime Information
Through the GUI, you can look up several runtime information such as the PPPoE and PPPoEv6 IP addresses, the DHCPv6-PD prefix, the actually assigned prefixes to downstream interfaces, the (default) routes within the forwarding table of the logical router, as well as appropriate system logs:
Some basic show commands are these: (Always remember that you can find all CLI commands concerning a keyword such as “pppoe” in the following way:
find command keyword pppoe.)
A Little Wiresharking
This is what it looks like on the wire between the Palo and the modem, captured with a real network TAP, the ProfiShark 1G. You can see the whole PPPoE process with its sub-protocols PPP LCP, PPP PAP, PPP IPCP, and PPP IPV6CP �, followed by an RA from the ISP with the O-flag and a prefix option (packet nr. 30, red arrows down below), the DAD message from the Palo (31), and the DHCPv6-PD process (35ff). This capturing took place at a later date, hence the shown IP addresses are different from the screenshots above. Never mind.
That’s it. Happy networking. ;)
Soli Deo Gloria!
Photo by Jonny Gios on Unsplash.